Manage Access to file shares Azure

Gabriel Gonzalez 0 Reputation points
2024-05-15T08:18:18.9633333+00:00

I created a file share system with 9 file shares that go to different people.

I can't limit access or specify who should have access to what.

I've read a bunch of documentation, but I don't think I understand it correctly.

I tried to give access through Access Control(IAM) I can see that the correct people are in the correct file share, but in practice every person has access to all the file shares.

I read about ACLs but that is for containers, and I want to used file shares for structured data. And a documentation about entra authentication.

I have tried enabling, Active Directory Domain Services (AD DS), Microsoft Entra Domain Services & Microsoft Entra Kerberos. And looked in the configurations. Set share-level permissions.

If something is unclear, please ask.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,301 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-05-16T07:36:38.7733333+00:00

    Hello Gabriel Gonzalez,

    Greetings! Welcome to Microsoft Q&A Platform.

    Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to specific Microsoft Entra users/groups, and you can assign them to all authenticated identities as a default share-level permission.

    Share-level permissions on Azure file shares are configured for Microsoft Entra users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Microsoft Entra identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share.

    To configure access to Azure Files shares, you need to follow these steps:

    1. Create and configure Azure file shares by creating a storage account, creating a file share, enabling SMB Multichannel, configuring identity, setting a default share-level permission, and mounting the Azure file share using your storage account key. You can refer to Configure Azure Files for HPC Pack for detailed steps.
    2. Configure and use HPC Pack file shares by creating Azure file shares and configuring Windows ACLs according to the original file share. You can refer to Configure HPC Pack with Azure Files for detailed steps.

    Please note that these steps are general guidelines and may need to be adjusted based on your specific requirements and environment.

    Additional information:

    When it comes to setting up access to Azure Files shares, there are a few best practices that you can follow to ensure efficient and secure access management:

    Use Azure AD DS for authentication: Azure AD DS provides a managed domain service that can be used to authenticate users and computers in Azure. By using Azure AD DS, you can leverage your existing on-premises Active Directory infrastructure and extend it to the cloud. This can simplify access management and reduce the need for complex permission configurations.

    Use RBAC to manage access: Azure Role-Based Access Control (RBAC) can be used to manage access to Azure resources, including Azure Files shares. By using RBAC, you can assign roles to users or groups that define the level of access they have to Azure Files shares. This can simplify access management and reduce the need for complex permission configurations.

    Use Azure AD groups for access management: Azure AD groups can be used to manage access to Azure Files shares. By creating groups and assigning permissions to those groups, you can simplify access management and reduce the need for complex permission configurations.

    Use Azure Files ACLs for fine-grained access control: Azure Files Access Control Lists (ACLs) can be used to provide fine-grained access control to files and folders within Azure Files shares. By using ACLs, you can assign permissions to individual files and folders, rather than relying on broad permissions at the share level.

    Use Azure Policy to enforce access policies: Azure Policy can be used to enforce access policies for Azure resources, including Azure Files shares. By using Azure Policy, you can ensure that access to Azure Files shares is compliant with your organization's policies and standards.

    In terms of your specific scenario, it may be beneficial to use a combination of RBAC, Azure AD groups, and Azure Files ACLs to manage access to Azure Files shares. By assigning roles to groups and using ACLs to provide fine-grained access control, you can simplify access management and reduce the need for complex permission configurations.

    refer - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal, https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.